From the course: ASP.NET MVC 5 Identity: Authentication and Authorization
Unlock the full course today
Join today to access over 22,500 courses taught by industry experts or purchase this course individually.
Simple authorization
From the course: ASP.NET MVC 5 Identity: Authentication and Authorization
Simple authorization
- [Instructor] By default in ASP.NET MVC when you create a new controller all the users are allowed to use any controller and action of your web application, which is potentially unsafe. Also, you cannot use a routing or web.config file to secure your MVC application. The only supported way to secure your MVC application is to apply the authorize attribute to each controller and then modify it to create more detailed authentication conditions. There is a fundamental difference in protected resources between Web Forms and MVC. For example, in Web Forms the resources you are trying to protect are the pages themselves. And since the pages exist on a disk and well-known path you can use web.config to secure them. However, in MVC the resources you are trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability. Authorize attribute is the simplest way…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.